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DATE: June 26, 2008 

TO: Examiner Shaifer Harriman; Tel. 571.272.7910; Fax. 571.27x.xxxx 

FROM: Karl Rees; Tel. 408-414-1233; Fax 408-414-1076 

SUBJECT: U.S. Patent Application No. 10/797,773 (Rayes, et al.) 

Attorney Docket No. 50325-0865 

3 rd Office Action (Non-Final) 



Proposed Agenda for Telephone Interview 

I. Request clarification on rejection of Claim 14 
a. The Office Action does not clearly allege: 

i. What aspect of the references is a "malicious act" 

ii. What aspect of the references teaches "determining whether a malicious act 
caused the security event" 

iii. What aspect of the references teaches "if a malicious act caused the security 
event, then providing information ... to a security decision controller." 

iv. What aspect of the references teaches "if a malicious act did not cause the 
security event, then removing the user from the elevated risk group." 

II. Request clarification regarding suggestion / motivation to combine the references 

III. Proposed Amendments to Claim 1 
a. Option I: see II [0042 ]-[0043 ] 

1. (Previously presented) A method, comprising the computer-implemented steps of: 

in a security controller that is coupled, through a network, to a network device having a 
first network address assigned from a first subset of addresses within a first 
specified pool associated with normal network users: 

determining a user identifier associated with the network device that has caused a 

security event in the network; 
in response to the security event, causing the network device to acquire a new 

second network address that is selected from a second subset of addresses 

within a second specified pool associated with suspected malicious 

network users; 

wherein causing the network device to acquire a new network address 
comprises causing the network device to request a new network 
address; 

wherein the second subset of addresses is different from the first subset of 
addresses; and 

configuring one or more security restrictions with respect to the new network 
address. 
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b. Option 2: see ff [0003 ]-[0004] 



1. (Previously presented) A method, comprising the computer- implemented steps of: 

in a security controller that is coupled, through a network, to a network device having a 
first network address assigned from a first subset of addresses within a first 
specified pool associated with normal network users: 

determining a user identifier associated with the network device that has caused a 
security event in the network; 

wherein the security event is an event that indicates at least one of: a 
possible denial of service attack, possible IP address spoofing, 
extraneous requests for network addresses, and possible MAC 
address spoofing: 

in response to the security event, causing the network device to acquire a new 

network address that is selected from a second subset of addresses within a 
second specified pool associated with suspected malicious network users; 
wherein the second subset of addresses is different from the first subset of 
addresses; and 

configuring one or more security restrictions with respect to the new network 
address. 
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